Skip to content

Blog

SOC 2 Pentest Requirements Explained

July 4, 2026 · Invadel Team

If you’re preparing for a SOC 2 examination, “do we need a penetration test?” is one of the first questions that comes up. The honest answer is more nuanced than a yes or no.

Does SOC 2 technically require a pentest?

Not explicitly. The SOC 2 Trust Services Criteria do not name “penetration test” as a required control. But in practice, a penetration test is one of the most common ways companies demonstrate the Security criterion (specifically the controls around vulnerability management and system monitoring), and most auditors will ask for one as supporting evidence if you don’t already have a recent report on file.

Enterprise customers evaluating your SOC 2 report often ask directly, too. A clean penetration test report alongside your SOC 2 report answers a question your report alone doesn’t: has anyone actually tried to break in?

What your auditor wants to see

  • Recency. Testing performed within the last 12 months, ideally timed so results land inside your examination period.
  • Appropriate scope. Testing that covers the systems actually in your SOC 2 boundary, not a generic scan of unrelated infrastructure.
  • A real report, not a scanner export. Executive summary, methodology, findings with severity ratings, and remediation status.
  • Evidence of remediation. Findings that were identified and fixed, ideally with a retest confirming the fix.

Timing it before your audit

The order matters. Run the test with enough lead time to:

  1. Receive the report
  2. Remediate any significant findings
  3. Get a retest confirming the fix
  4. Have all of that finished before your auditor’s fieldwork begins

Waiting until the week before your audit to schedule testing is the most common mistake we see: if something significant is found, there’s no time left to fix it before the auditor asks about it.

Vanta and Drata compatibility

If you’re using a compliance automation platform like Vanta or Drata, your penetration test report and remediation evidence should be uploadable as supporting documentation against the relevant control. Ask whoever runs your test to format the report and any attestation letter so it drops cleanly into your existing evidence library instead of requiring reformatting.

What a SOC 2-ready report includes

  • Executive summary written for a compliance manager or auditor, not just an engineer
  • Scope aligned to your SOC 2 system boundary
  • Findings mapped to the controls they relate to
  • A retest confirming remediated findings are actually closed
  • An attestation letter, if your auditor or customer needs one

See our SOC 2 penetration testing page for how we scope and time testing around your examination, or get a quote to start.